Configure NAT64 for IPv4-Initiated Communication with Port
Translation
This task builds on the task to Configure
NAT64 for IPv4-Initiated Communication, but the organization
controlling the IPv6 network prefers to translate the public destination
port number to an internal destination port number and thereby keep
it private from users on the IPv4 untrust side of the firewall.
In this example, port 8080 is translated to port 80. To do that,
in the Original Packet of the NAT64 policy rule, create a new Service
that specifies the destination port is 8080. For the Translated
Packet, the translated port is 80.
Enable IPv6 to operate on the firewall.
Select DeviceSetupSession and
edit the Session Settings.
Select Enable IPv6 Firewalling.
Click OK.
(Optional) When an IPv4 packet has its DF bit
set to zero (and because IPv6 does not fragment packets), ensure
the translated IPv6 packet does not exceed the path MTU for the destination
IPv6 network.
Select DeviceSetupSession and
edit Session Settings.
For NAT64 IPv6 Minimum Network MTU,
enter the smallest number of byes into which the firewall will fragment
IPv4 packets for translation to IPv6 (range is 1280-9216, default is
1280).
If you don’t want the firewall to fragment
an IPv4 packet prior to translation, set the MTU to 9216. If the
translated IPv6 packet still exceeds this value, the firewall drops
the packet and issues an ICMP packet indicating destination unreachable
- fragmentation needed.
Click OK.
Create an address object for the IPv4 destination address
(pre-translation).
Select ObjectsAddresses and click Add.
Enter a Name for the object,
for example, nat64_ip4server.
For Type, select IP
Netmask and enter the IPv4 address and netmask of the
firewall interface in the Untrust zone. This example uses 198.51.19.1/24.
Click OK.
Create an address object for the IPv6 source address
(translated).
Select ObjectsAddresses and click Add.
Enter a Name for the object,
for example, nat64_ip6source.
For Type, select IP
Netmask and enter the NAT64 IPv6 address with a netmask
that is compliant with RFC 6052 (/32, /40, /48, /56, /64, or /96).
For this example, enter 64:FF9B::/96.
(The firewall
encodes the prefix with the IPv4 source address 192.1.2.8, which
is C001:0208 in hexadecimal.)
Click OK.
Create an address object for the IPv6 destination address
(translated).
Select ObjectsAddresses and click Add.
Enter a Name for the object,
for example, nat64_server_2.
For Type, select IP
Netmask and enter the IPv6 address of the IPv6 server
(destination). This example uses 2001:DB8::2/64.
The source and destination must have the same netmask
(prefix length).
Click OK.
Create the NAT64 rule.
Select PoliciesNAT and click Add.
On the General tab, enter a Name for
the NAT64 rule, for example, nat64_ipv4_init.
For NAT Type, select nat64.
Specify the original source and destination information,
and create a service to limit the translation to a single ingress
port number.
For the Original Packet, Add the Source
Zone, likely an untrust zone.
Select the Destination Zone,
likely a trust or DMZ zone.
For Service, select New Service.
Enter a Name for the Service,
such as Port_8080.
Select TCP as the Protocol.
For Destination Port, enter
8080.
Click OK to save the Service.
For Source Address, select Anyor Add the
address object for the IPv4 host.
For Destination Address, Add the
address object for the IPv4 destination, in this example, nat64_ip4server.
Specify the translated packet information.
For the Translated Packet,
in the Source Address Translation, Translation
Type, select Static IP.
For Translated Address, select
the source translated address object you created, nat64_ip6source.
For Destination Address Translation,
for Translated Address, specify a single
IPv6 address (the address object, in this example, nat64_server_2, or
the IPv6 address of the server).
Specify the private destination Translated
Port number to which the firewall translates the public
destination port number, in this example, 80.
Click OK.
Create a security policy to allow the NAT traffic from
the Untrust zone.
Select PoliciesSecurity and Add a
rule Name.
Select Source and Add a Source
Zone; select Untrust.
For Source Address, select Any.
Select Destination and Add a Destination
Zone; select DMZ.